Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to exclude users from service account values: a generic approach?

AL3Z
Builder
‎06-08-2023 03:04 AM

Hi,

I'm attempting to create a method to exclude users from service account values without excluding a particular service account. Is there a generic approach we can use to identify and exclude both existing and future service accounts?
How we could write the search for this use case.

Thanks..

Labels (4)
Labels
0 Karma
Reply

AL3Z
Builder
‎06-12-2023 08:10 AM

@richgalloway @PickleRick ,

What I need here is like in the event there is a OU=Service IDs ,OU=users,OU=computers exclude all the src_user from the OU=Service IDs only.

Thanks 



0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 09:40 AM

It would help to have a more defined set of requirements as well sample input and output, but perhaps this will help.

<<your search>>
| where NOT (OU="Service IDs" AND [ | inputlookup mylookup.csv | fields src_user | rename src_user as sAMAccountName | format ]

Adjust the fields and rename commands as necessary to match your fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-12-2023 09:46 AM

@richgalloway ,

Why we need lookup  table over here . I don't think we need it .Just I want to exclude all the service accounts from the OU="Service IDs" from an event.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 11:53 AM

You don't *need* a lookup.  You can put an exclude list directly in the SPL, but that may end up being more difficult to maintain.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-13-2023 03:20 AM

...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 07:46 AM

Apart from the redundant "4738" in the macro, this code looks like it should work.  How is it failing you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-14-2023 08:12 AM

...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 10:59 AM

Debug the query by running the commands before the first | in a new query.  Verify the desired fields are present.  Add the commands up to the next | and verify the fields are still there.  Repeat the process until the fields disappear and you'll have found the source.  Post the details if you need help determining the cause.

---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎06-17-2023 12:05 AM

Hi , How we can xclude service account from this event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

0 Karma
Reply

AL3Z
Builder
‎06-15-2023 11:17 AM

Here OU is multi value field.

0 Karma
Reply

AL3Z
Builder
‎06-13-2023 08:28 PM

@richgalloway 

Any suggestions on this usecase

Thanks 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-11-2023 12:23 PM

Just use a lookup which lists all accounts to exclude.

0 Karma
Reply

AL3Z
Builder
‎06-11-2023 07:55 PM

Hi,

What if we get the future service accounts?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 06:20 AM

Update the lookup file as new service accounts are added or removed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-11-2023 10:41 AM

Hi

Any idea 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...